activeContent in nsEventStateManager::PostHandleEvent looks unsafe

RESOLVED FIXED

Status

()

Core
DOM: Events
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: smaug, Assigned: smaug)

Tracking

unspecified
x86
All
Points:
---

Firefox Tracking Flags

(blocking1.9.2 needed, status1.9.2 .11-fixed, blocking1.9.1 needed, status1.9.1 .14-fixed)

Details

(Whiteboard: [sg:critical?][critsmash:patch])

Attachments

(1 attachment)

(Assignee)

Description

7 years ago
Created attachment 473527 [details] [diff] [review]
patch

The variable is nsIContent*, but scripts may run before it is used.

I don't have a testcase, but based on code this might lead to crash when
using image maps and deleting the image element when it gets focus.
Or something like that.
Attachment #473527 - Flags: review?(roc)
Attachment #473527 - Flags: approval2.0?
Attachment #473527 - Flags: approval1.9.2.10?
Attachment #473527 - Flags: approval1.9.1.13?
Attachment #473527 - Flags: review?(roc)
Attachment #473527 - Flags: review+
Attachment #473527 - Flags: approval2.0?
Attachment #473527 - Flags: approval2.0+

Updated

7 years ago
Whiteboard: [sg:critical?][critsmash:patch]
(Assignee)

Updated

7 years ago
Assignee: nobody → Olli.Pettay
Comment on attachment 473527 [details] [diff] [review]
patch

Approved for 1.9.2.11 and 1.9.1.14, a=dveditz
Attachment #473527 - Flags: approval1.9.2.11?
Attachment #473527 - Flags: approval1.9.2.11+
Attachment #473527 - Flags: approval1.9.1.14?
Attachment #473527 - Flags: approval1.9.1.14+
blocking1.9.1: --- → needed
blocking1.9.2: --- → needed
status1.9.1: --- → wanted
status1.9.2: --- → wanted
(Assignee)

Comment 2

7 years ago
http://hg.mozilla.org/mozilla-central/rev/99aa53d645ca
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/2d8e67f58719
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/b48f479bfc99
Status: NEW → RESOLVED
Last Resolved: 7 years ago
status1.9.1: wanted → .14-fixed
status1.9.2: wanted → .11-fixed
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.